A number of commercial cloud-based password managers inject JavaScript into web pages to automatically populate and submit login forms. These password managers rely on the correct execution of their JavaScript to protect the user’s passwords, but because their JavaScript runs in a potentially untrusted security context, an attacker’s web site can steal the user’s passwords by replacing native JavaScript objects with malicious replicas. In this talk, I’ll describe general techniques for altering the semantics of native JavaScript objects, apply these techniques to extracting passwords from six commercial password managers, and propose an alternative password manager design.